Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Using Apache2 Proxy and Cache problem with userid/password |
|
| Author |
|
AtlantaKid
Joined: 08 Feb 2021
Posts: 2
Location: USA, Atlanta
|
 Posted: Mon 08 Feb '21 21:56 Post subject: Using Apache2 Proxy and Cache problem with userid/password |
 |
|
Hi,
I am running Aapche2 on Ubuntu Linux acting as Proxy & Cache server for a localhost running microservice, when I perform logout operation in my Spring boot microservice app, Apache still remembers the authenticated credentials and that is a problem. If I turn off caching all works fine.
My OS & Apache2 versions are
| Code: | Ubuntu
Distributor ID: Ubuntu
Description: Ubuntu 20.04.2 LTS
Release: 20.04
Codename: focal
Apache 2
Server version: Apache/2.4.41 (Ubuntu)
Server built: 2020-08-12T19:46:17 |
in apache2.conf I have
| Code: | # cache control
CacheIgnoreNoLastMod On
CacheIgnoreCacheControl On
# unset headers from upstream server
Header unset Expires
Header unset Cache-Control
Header unset Pragma
ExpiresActive On
ExpiresByType text/html "access plus 1 years"
ExpiresByType image/png "access plus 1 years"
ExpiresByType image/jpg "access plus 1 years"
ExpiresByType image/jpeg "access plus 1 years"
ExpiresByType application/javascript "access plus 1 years"
CacheQuickHandler off
CacheLock on
CacheLockPath /tmp/mod_cache-lock
CacheLockMaxAge 5
CacheIgnoreHeaders Set-Cookie
<Location />
CacheEnable disk /
CacheHeader on
CacheDefaultExpire 800
CacheMaxExpire 64000
CacheIgnoreNoLastMod On
ExpiresActive on
ExpiresDefault A300
</Location> |
and for Proxy in my apache enabled-site conf file I have the below config, I have changed domain name and SSL digits for privacy reasons.
| Code: | </VirtualHost>
<VirtualHost *:443>
ServerName example.com
ServerAlias example1.com server4.example.com
ServerAdmin webmaster@example.com
#DocumentRoot /var/www/example.com/www
HostnameLookups off
#---- SSL Config
SSLEngine on
SSLCertificateFile /usr1/SSL/www.example.com/digicert/example_com_111111111example_com.crt
SSLCertificateKeyFile /usr1/SSL/www.example.com/example.com.key
SSLCertificateChainFile /usr1/SSL/www.example.com/digicert/example_com_111111111DigiCertCA.crt
#---- SSL Config ends
#------- Added this for the support of Spring Code
ProxyPreserveHost On
ProxyRequests On
ProxyVia On
ProxyPass / http://127.0.0.1:8081/
ProxyPassReverse / http://127.0.0.1:8081/
#------- Added this for the support of Spring Code done
#-- Redirect the errors to somewehre else
ErrorDocument 404 http://example.com/404.htm
<Directory /var/www/example.com/www>
Options -Indexes +FollowSymLinks
AllowOverride All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined
</VirtualHost> |
My Spring Boot app annotations are:
| Quote: | @PreAuthorize("isFullyAuthenticated() and hasAnyAuthority('USER', 'ADMIN', 'EDITOR')")
@RequestMapping(value = "/welcome", method = RequestMethod.GET)
public String weclome(ModelMap model) {
...........
} |
and my SecurityConfig in Spring boot app is
| Code: | // @formatter:off
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf()
.ignoringAntMatchers("/**", "/music/**")
.and().headers().frameOptions().disable()
.and().authorizeRequests().antMatchers("/login/**", "/bye/**")
.permitAll()
.and()
.formLogin()
.loginProcessingUrl("/login").defaultSuccessUrl("/welcome", true)
.and().logout().logoutSuccessHandler(new SimpleUrlLogoutSuccessHandler() {
@Override
public void onLogoutSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication authentication)
throws IOException, ServletException {
super.onLogoutSuccess(request, response, authentication);
}
}).logoutSuccessUrl("/login").invalidateHttpSession(true).deleteCookies("JSESSIONID")
.permitAll()
.and()
.httpBasic();
}
// @formatter:on |
Can you please advise what config I can do or change so I can enable and use caching in Apache Server again?
Thanks. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Tue 09 Feb '21 20:29 Post subject: |
|
|
| Quote: | | If the response contains an "Authorization:" header, it must also contain an "s-maxage", "must-revalidate" or "public" option in the "Cache-Control:" header, or it won't be cached. |
From the docs[1]
So maybe your
| Code: |
Header unset Cache-Control
|
is the the issue. But I'm not sure about it. You may consult the docs [1][2]
[1] https://httpd.apache.org/docs/2.4/caching.html
[2]https://httpd.apache.org/docs/2.4/mod/mod_authn_socache.html#authncachesocache |
|
| Back to top |
|
tangent
Moderator
Joined: 16 Aug 2020
Posts: 348
Location: UK
|
| Posted: Tue 09 Feb '21 21:58 Post subject: |
|
|
I tend to agree James. I think the problem lies with the Apache configuration where the OP unsets various upstream headers coming from the Spring code, namely Pragma and particularly Expires and Cache-Control. Why would do this for all such responses from the back end?
He doesn't provide detail of the authentication process between the client and the Spring code, but at logout I'd expect some transaction that would invalidate and cached credentials. So I'd personally not delete these headers.
Also, looking at the ExpiresByType entries, where the documentation says: When the Expires header is already part of the response generated by the server, for example when generated by a CGI script or proxied from an origin server, this module does not change or add an Expires or Cache-Control header. For cases where Expires or Cache-Control hasn't been explicitly set by the back end, I'd consider the figure of one year way too long. Images don't change that often, but html, javascript and css files might change frequently. I'd personally use a mixture of hours and days depending on the content type. |
|
| Back to top |
|
AtlantaKid
Joined: 08 Feb 2021
Posts: 2
Location: USA, Atlanta
|
| Posted: Wed 10 Feb '21 15:25 Post subject: Using Apache2 Proxy and Cache problem with userid/password |
|
|
Hello per your suggestions I made the following modifications in my cache control and user login/logout seems to be working fine.
These were the changes from the previous config.
#-- took out per forum suggestion 20210210
#Header unset Cache-Control
and
ExpiresByType text/html "access plus 1 days "
ExpiresByType image/png "access plus 1 years"
ExpiresByType image/jpg "access plus 5 days"
ExpiresByType image/jpeg "access plus 5 days"
ExpiresByType application/javascript "access plus 1 seconds"
| Code: | # cache control
CacheIgnoreNoLastMod On
CacheIgnoreCacheControl On
# unset headers from upstream server
Header unset Expires
#-- took out per forum suggestion 20210210
#Header unset Cache-Control
Header unset Pragma
ExpiresActive On
ExpiresByType text/html "access plus 1 years"
ExpiresByType image/png "access plus 1 years"
ExpiresByType image/jpg "access plus 5 days"
ExpiresByType image/jpeg "access plus 5 days"
ExpiresByType application/javascript "access plus 1 seconds"
CacheQuickHandler off
CacheLock on
CacheLockPath /tmp/mod_cache-lock
CacheLockMaxAge 5
CacheIgnoreHeaders Set-Cookie
<Location />
CacheEnable disk /
CacheHeader on
CacheDefaultExpire 800
CacheMaxExpire 64000
CacheIgnoreNoLastMod On
ExpiresActive on
ExpiresDefault A300
</Location> |
|
|
| Back to top |
|
|
|
|
|
|
